Checklist: Setting Up a Federation Server

This checklist includes the deployment tasks that are necessary to prepare a server running Windows Server 2008 for the federation server role in Active Directory Federation Services (AD FS) 2.0.

Tip

You can find additional AD FS 2.0 resource links at the AD FS 2.0 Content Map page on the Microsoft TechNet Wiki. This page is managed by members of the AD FS 2.0 Community and is monitored on a regular basis by the AD FS Product Team.

Note

Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.

Review information about how federation servers use service communication certificates and token-signing certificates to securely authenticate client and federation server proxy requests.

Caution

Though it has long been common practice to use certificates with unqualified host names such as https://myserver, these certificates have no security value and can enable an attacker to impersonate the AD FS 2.0 Federation Service to enterprise clients. Therefore, it is recommended that you use a fully qualified domain name (FQDN) such as https://myserver.contoso.com and only use SSL certificates issued to the FQDN of your Federation Service.

Join the computer that will become the federation server to a domain in the account partner forest or resource partner forest where it will be used to authenticate the users of that forest or from trusting forests.

Note

If you want to set up a federation server in the account partner organization, the computer must first be joined to any domain in the forest where your federation server will be used to authenticate users from that forest or from trusting forests.

(Optional) If you will be adding a federation server to a federation server farm, you might have to first export the private key of the existing token-signing certificate (on the first federation server in the farm) so that you have a file format of the certificate ready when other federation servers must import the same certificate.

Exporting the private key is not required when your issued server authentication certificate can be reused by multiple computers (without the need to export) or when you will be obtaining unique server authentication certificates for each federation server in the farm.

If you will be configuring a federation server farm environment in an account partner organization, you must create and configure a dedicated service account in Active Directory Domain Services (AD DS) where the farm will reside and configure each federation server in the farm to use this account. By performing this procedure, you will allow clients on the corporate network to authenticate to any of the federation servers in the farm using Windows Integrated Authentication.

Configure the AD FS 2.0 software on the computer to act in the federation server role by using the AD FS 2.0 Federation Server Configuration Wizard.

Follow this procedure when you want to set up a stand-alone federation server, create the first federation server in a new farm or join a computer to an existing federation server farm.

Note

For the Federated Web Single Sign-On (SSO) design, you must have at least one federation server in the account partner organization and at least one federation server in the resource partner organization.

(Optional) Use the AD FS 2.0 Management snap-in to add and configure the necessary AD FS 2.0 certificates required to deploy your design. For more information about when to add or change certificates using the snap-in, see Certificate Requirements for Federation Servers.